diff options
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/Symbols.list | 2 | ||||
| -rw-r--r-- | lib/libc/hidden/unistd.h | 3 | ||||
| -rw-r--r-- | lib/libc/sys/Makefile.inc | 6 | ||||
| -rw-r--r-- | lib/libc/sys/pledge.2 | 8 | ||||
| -rw-r--r-- | lib/libc/sys/unveil.2 | 158 |
5 files changed, 171 insertions, 6 deletions
diff --git a/lib/libc/Symbols.list b/lib/libc/Symbols.list index 63420faebdd..55500aea43d 100644 --- a/lib/libc/Symbols.list +++ b/lib/libc/Symbols.list @@ -231,6 +231,7 @@ _thread_sys_umask _thread_sys_unlink _thread_sys_unlinkat _thread_sys_unmount +_thread_sys_unveil _thread_sys_utimensat _thread_sys_utimes _thread_sys_utrace @@ -434,6 +435,7 @@ umask unlink unlinkat unmount +unveil utimensat utimes utrace diff --git a/lib/libc/hidden/unistd.h b/lib/libc/hidden/unistd.h index bfa424fe795..692951637c8 100644 --- a/lib/libc/hidden/unistd.h +++ b/lib/libc/hidden/unistd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: unistd.h,v 1.10 2016/09/12 19:36:26 guenther Exp $ */ +/* $OpenBSD: unistd.h,v 1.11 2018/07/13 09:25:22 beck Exp $ */ /* * Copyright (c) 2015 Philip Guenther <guenther@openbsd.org> * @@ -161,6 +161,7 @@ PROTO_NORMAL(ttyname_r); PROTO_DEPRECATED(ualarm); PROTO_NORMAL(unlink); PROTO_NORMAL(unlinkat); +PROTO_NORMAL(unveil); PROTO_DEPRECATED(usleep); PROTO_WRAP(vfork); PROTO_CANCEL(write); diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc index 6823d7472a8..e7792063ae9 100644 --- a/lib/libc/sys/Makefile.inc +++ b/lib/libc/sys/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.154 2018/01/12 04:36:12 deraadt Exp $ +# $OpenBSD: Makefile.inc,v 1.155 2018/07/13 09:25:22 beck Exp $ # $NetBSD: Makefile.inc,v 1.35 1995/10/16 23:49:07 jtc Exp $ # @(#)Makefile.inc 8.1 (Berkeley) 6/17/93 @@ -73,7 +73,7 @@ ASM= __semctl.o __syscall.o __thrsigdivert.o \ shmget.o shutdown.o sigaltstack.o socket.o \ socketpair.o stat.o statfs.o swapctl.o symlink.o symlinkat.o \ sysarch.o sysctl.o thrkill.o unlink.o unlinkat.o \ - unmount.o utimensat.o utimes.o utrace.o + unmount.o unveil.o utimensat.o utimes.o utrace.o SRCS+= ${SRCS_${MACHINE_CPU}} .for i in ${SRCS_${MACHINE_CPU}} @@ -195,4 +195,4 @@ MAN+= __get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \ sigprocmask.2 sigreturn.2 sigsuspend.2 socket.2 \ socketpair.2 stat.2 statfs.2 swapctl.2 symlink.2 \ sync.2 sysarch.2 syscall.2 sysctl.2 thrkill.2 truncate.2 \ - umask.2 unlink.2 utimes.2 utrace.2 vfork.2 wait.2 write.2 + umask.2 unlink.2 unveil.2 utimes.2 utrace.2 vfork.2 wait.2 write.2 diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2 index ab606be7960..3c32586c478 100644 --- a/lib/libc/sys/pledge.2 +++ b/lib/libc/sys/pledge.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pledge.2,v 1.52 2018/03/16 07:11:03 jmc Exp $ +.\" $OpenBSD: pledge.2,v 1.53 2018/07/13 09:25:22 beck Exp $ .\" .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 16 2018 $ +.Dd $Mdocdate: July 13 2018 $ .Dt PLEDGE 2 .Os .Sh NAME @@ -553,6 +553,10 @@ Allow operation for statistics collection from a .Xr bpf 4 device. +.It Va unveil +Allow +.Xr unveil 2 +to be called. .It Va error Rather than killing the process upon violation, indicate error with .Er ENOSYS . diff --git a/lib/libc/sys/unveil.2 b/lib/libc/sys/unveil.2 new file mode 100644 index 00000000000..d98515dd6a2 --- /dev/null +++ b/lib/libc/sys/unveil.2 @@ -0,0 +1,158 @@ +.\" $OpenBSD: unveil.2,v 1.1 2018/07/13 09:25:22 beck Exp $ +.\" +.\" Copyright (c) 2018 Bob Beck <beck@openbsd.org> +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: July 13 2018 $ +.Dt UNVEIL 2 +.Os +.Sh NAME +.Nm unveil +.Nd unveil parts of a restricted filesystem view +.Sh SYNOPSIS +.In unistd.h +.Ft int +.Fn unveil "const char *path" "const char *flags" +.Sh DESCRIPTION +The first call to +.Nm +removes visibility of the envire filesystem from all other +filesystem-related system calls ( +.Xr open 2 , +.Xr chmod 2 , +.Xe rename 2, +etc). +except for the specified +.Ar path. +Subequent calls to +.Nm +expose additional views of the filesystem. +.Pp +The +.Nm +call is treated specially and can continue to see the filesystem for +subsequent calls. +.Nm +can be locked, +preventing further filesytem exposure by calling +.Nm +with two +.Ar NULL +arguments. +.Xr pledge 2 +may alternatively be used +to remove the "unveil" permission. +.Pp +The +.Fa flags +argument points to a string consisting of the following characters. +.Pp +.Bl -tag -width c -offset indent -compact +.It Dv r +.Ar path +hould be made be available for read operations corresponding to +.Xr pledge 2 +promise +.Ar rpath . +.It Dv w +.Ar path +should be available for write operations corresponding to +.Xr pledge 2 +promise +.Ar wpath . +.It Dv x +.Ar path +should be available for execute operations corresponding to +.Xr pledge 2 +promise +.Ar wpath . +.It Dv c +.Ar path +should be allowed to be created and removed, corresponding to +.Xr pledge 2 +promise +.Ar cpath . +.El +.Pp +A +.Ar path +that is a directory will enable all filesystem access underneath +.Ar path +using +.Ar flags +if and only if no more specific matching +.Fn unveil +exists at a lower level. +.Pp +Attempts to access paths not allowed by +.Nm +will result in an error of +.Ar EACCES +when the +.Ar flags +argument does not match the attempted operation. +.Ar ENOENT +is returned for paths for which no +.Nm +flags are present. +.Pp +As with +.Xr pledge 2 , +the use of +.Fn unveil +in an application will require lots of study and understanding +of the interfaces called. +In most cases it is best practice to unveil the directories +in which an application makes use of files. +It is important to consider that directory results are remembered at +the time of a call to +.Fn unveil . +This means that a directory that is removed and recreated after a call to +.Fn unveil +will appear to not exist. +Non directories are remembered by name within their containing directory, +and so may be created, removed, or re-created after a call to +.Fn unveil +and still appear to exist. +.Sh RETURN VALUES +.Fn unveil +returns 0 on success or -1 on failure. +.Sh ERRORS +.Bl -tag -width Er +.It E2BIG +The addition of +.Ar path +would exceed the per-process limit for pledged paths. +.It ENOENT +A directory in +.Ar path +did not exist. +.It EINVAL +An invalid value of +.Ar flags +was used. +.It EPERM +An attempt to add permission to +.Ar flags +was made, or +.Ar path +was not accessible, or +.Nm +was called after it was locked +.El +.Sh HISTORY +The +.Fn unveil +system call first appeared in +.Ox 6.4 . |